When I installed mint I chose to encrypt my drive, to require a password to boot. I had a security issue (not with my computer, I gave the password to someone I no longer want to access my computer). Now I want to change the password, but I can't figure out how. I would also like to remove the current user account I have on the computer, and replace it with one that has a new username and password.

@Laurent85
Thanks for the tips. I should have been more clear, I know how to add users. My problem is that I want the new user to have all the same files, apps, settings, etc. Basically I want to have the exact same setup as before, but with a new user/password. When I log in as the new user I get a bare system, like when I first installed. I went through alot of trouble setting up my system, I don't want to go through that again. Help!

Hello mentha scholasticus - Here's something you should consider: When you boot your machine, you must enter the encryption key first, and the user password second. If someone cannot get beyond the encryption key, they'll never have the opportunity to enter the user password. So there's really no need to create a new user name and password as long as you change the encryption key.

Laurent85 has already mentioned the solution to this: Create a new encryption key, store it in a different key slot, and delete the old one. Here's an outline of how to proceed:

1.) Boot your machine and open the Terminal. Based on the info you provided in your last post, the encrypted volume is /dev/sda3. What you need to do first is find out which key slot is used to store your current encryption key. If you've never changed anything since you installed, it's probably key slot 0, but you should verify this regardless.To do so, enter " sudo cryptsetup luksDump /dev/sda3 ", examine the output, and verify that key slot 0 is shown as "Enabled", and that key slots 1 through 7 are shown as "Disabled".

2.) Now you can create a new encryption password and store it in key slot 1 (or any other unused key slot). To do this, enter " sudo cryptsetup luksAddKey /dev/sda3 -S 1 " (the -S option specifies the key slot 1 will be used). You will be prompted to enter your new encryption key twice. At this point, you will have two encryption keys stored in the luks volume header: Your original key stored in key slot 0 and the new key stored in key slot 1. Both can be used to unlock the encrypted volume /dev/sda3 during system boot.

3.) Now close the Terminal. Before doing anything else, reboot the machine, and use your new encryption key to unlock the encrypted volume /dev/sda3 during system boot. NOTE: It's extremely important to verify the new key works before proceeding to the next step, or you might find yourself locked out without a key!

4.) After reboot, open the Terminal, and delete the original key stored in key slot 0. To do this, enter " sudo cryptsetup luksRemoveKey /dev/sda3 -S 0 ". You should be prompted to enter the original key (not the new one!) to confirm this action.

NOTE: There is a quick and dirty way to do all of this using a single command: " sudo cryptsetup luksChangeKey /dev/sda3 -S 0 ". There is one thing I don't like about doing it this way: You are only prompted once to enter a new key. There is no second prompt to confirm the key change! If you screw it up, you're locked out. This is why I outlined the longer but safer way of doing this in the first place.

"When you rise in the morning, give thanks for the light, for your life, for your strength. Give thanks for your food and for the joy of living. If you see no reason to give thanks, the fault lies in yourself." - Tecumseh

Derek_S wrote:
You will be prompted to enter your new encryption key twice.

Thank you Derek_S! I worked except for one thing: it did not ask me to enter the passphrase twice. As a result, The first one I tried, I messed up, and now I have a key slot with a passphrase that I don't know! The second time around, I got it right, and erased the passphrase I was worried about, so I have a new passphrase. The problem is that since I messed up key slot 1, and it needs a passphrase I don't know, I don't know how to erase it and disable that key slot. Since even I don't know the passphrase, I'm not too worried, but in the interest of thouroughness, I would like to remove it. How do I remove the lost passphrase, or discover what it is?

Hello mentha scholasticus - Sorry for the bad info about entering the key twice. It used to work that way, but I guess this is yet another change in the cryptsetup command I'm unaware of.

I should amend my instructions in step 3 as well. Not only is it important to know that your new key works, it's also important to know which key slot it's stored in as well! If you have any doubts at all about which key is stored in which key slot, or whether it's a working key or not, here's what I suggest:

Use " sudo cryptsetup luksDump /dev/sda3 " to verify that key slot 7 is unused. Then create a new key and store it in key slot 7 - " sudo cryptsetup luksAddKey /dev/sda3 -S 7 ". Verify this new key works by rebooting and entering it at system boot. NOTE: It doesn't matter if this new key is a duplicate of any key you created previously; it's much more important to be sure that it's stored in key slot 7.

Then use " cryptsetup luksKillSlot -S 0 ", "cryptsetup luksKillSlot -S 1 ", and so on to remove all the other keys in all the other key slots starting at key slot zero and working on up. Use " sudo cryptsetup luksDump /dev/sda3 " to check your progress and verify that key slot 7 is the only one left with a working key.

"When you rise in the morning, give thanks for the light, for your life, for your strength. Give thanks for your food and for the joy of living. If you see no reason to give thanks, the fault lies in yourself." - Tecumseh

What I don't get is that I am specifying the keyslot, and I've tried adding the device, as in: " cryptsetup luksKillSlot /dev/sda3 -S 1 ". I'm new at this, so the syntax escapes me. What am I doing wrong?

"...that i lost my Password to..." To modify LUKS key-slots you must supply one of the existing keys. Ideally, you know what it is. If you have a good idea of what it is, there are programs to auto-guess LUKS passwords, unavoidably limited to (roughly) 1 guess per second by the LUKS system itself.

To lose one Death Star is unfortunate, to lose two is sheer carelessness.